topic Re: Access to inside network from second vlan in Network Security

Access to inside network from second vlan

michael.m.williams — Mon, 11 Mar 2019 14:56:16 GMT

I placed a network 10.71.180.128/25 (VLAN71) behind the inside interface of my ASA5505. I have a server on this network that i have to access from both the internet and from inside my network. I understand i can create a NAT rule to access the inside server from the internet, but have not been able to figure out how I can have computer (10.100.10.1) in other internal subnet 10.100.10.0/28 access server 10.71.180.140. I only have basic package on ASA5505.

Help please.

Mike

Re: Access to inside network from second vlan

andrew.prince — Tue, 24 Feb 2009 16:56:59 GMT

Mike,

How are you "routing" to the VLAN? Thru a layer 3 device?

Re: Access to inside network from second vlan

michael.m.williams — Tue, 24 Feb 2009 16:59:41 GMT

Yes, I have a flat network and all routing is done by my core 6513.

Mike

Re: Access to inside network from second vlan

andrew.prince — Tue, 24 Feb 2009 17:03:31 GMT

So I take it that you have 2 SVI interfaces one in 10.100.10.0/28 and the other in 10.71.180.128/25 ?

Re: Access to inside network from second vlan

michael.m.williams — Tue, 24 Feb 2009 17:14:34 GMT

Yes here is my config.

Mike

Re: Access to inside network from second vlan

andrew.prince — Tue, 24 Feb 2009 17:19:44 GMT

Mike,

If you have a 6513 that is performing IP routing, why are you not just routing between the 2 SVI interfaces in the 6513??

Do you have a specific requirement to put vlan 71 and vlan 100 behind a firewall to protect them from each other?

Re: Access to inside network from second vlan

michael.m.williams — Tue, 24 Feb 2009 21:10:26 GMT

The way we structure our PCI compliance networks is to place them behind an ASA. VLAN71 is the network that needs to be isolated, but I have a server in VLAN that exchanges information with one of the server in VLAN71. Vender needs to come in from outside to mange the server in VLAN71

Re: Access to inside network from second vlan

andrew.prince — Wed, 25 Feb 2009 13:14:46 GMT

OK - firstly from the config you posted, the interface in VLAN100 E0/4 is shutdown, you need to open it.

Secondly I would change the VLAN100 security level from 100 to a lower number. As interfaces with the same level do not have to go thru an access-list. Currently this breaks your PCI compliance.

Thirdly just to make sure I would configure a NAT exemption between the 2 VLAN interfaces.

HTH>

Re: Access to inside network from second vlan

michael.m.williams — Wed, 25 Feb 2009 22:57:45 GMT

E 0/5 is now active, lowered security level to 0 on VLAN 100

But I don't really understand the NAT excemption rule. I want 10.100.10.1 to be able to access 10.71.180.136 (inside network) server.

Mike

Re: Access to inside network from second vlan

andrew.prince — Thu, 26 Feb 2009 09:42:57 GMT

OK - personally I would have the security level to 50 - then I know

My inside is 100 = totally trusted

My outside is 0 = totally un-trusted

My VLAN100 is 50 = can access the internet, but I need to write an acl for traffic originating in the VLAN100 to the inside.

You must look at your NAT - bu default all traffic passing from a lower interface to a higher and vice versa is natt'ed.

So I would have something likeP:-

global (outside) 1 interface

nat (inside) 1 w.w.w.w x.x.x.x

nat (VLAN100) 1 y.y.y.y z.z.z.z

The above will NAT all traffic to the internet using the outside IP address, then the nat exemption

access-list no-nat permit ip w.w.w.w x.x.x.x y.y.y.y z.z.z.z

access-list no-nat-permit ip y.y.y.y z.z.z.z w.w.w.w x.x.x.x

nat (inside) 0 access-list no-nat

nat (VLAN100) 0 access-list no-nat

The above tells the firewall not to nat when the source and destinatiobn match = everything else should be natt'ed.

w.w.w.w x.x.x.x = VLAN 71 IP subnet & mask

y.y.y.y z.z.z.z = VLAN100 IP subnet & mask

Then you need to allow access from server to server

access-list allow-server permit ip host 10.100.10.1 host 10.71.100.136

access-group allow-server in interface VLAN100

HTH>

Re: Access to inside network from second vlan

michael.m.williams — Fri, 27 Feb 2009 15:16:07 GMT

It would not allow me to enter

nat(VLAN100) 1 10.100.10.0 255.255.255.128

Currently there is no nameif for the interface. So I attempted to add on. here is the error I got.

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

Do i need to upgrade the license first?

Mike

Re: Access to inside network from second vlan

andrew.prince — Fri, 27 Feb 2009 15:34:50 GMT

This error has occured due to a license limitation on ASA. You need to obtain the Security Plus license in order to configure more VLANs as in routed mode. Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.

go to:-

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1931294

for the "forward interface" command & explaination.

HTH>

Re: Access to inside network from second vlan

andrew.prince — Fri, 27 Feb 2009 15:36:13 GMT

I think that you could just move the "outside" off VLAN 2 and into a specific interface - then you can have 2 vlans without having to upgrade!

Re: Access to inside network from second vlan

andrew.prince — Fri, 27 Feb 2009 15:58:51 GMT

Actually just thinking about it another possible solution would be:-

Move the inside interface into it's own interface. Then create a sub-interface and tag it with a vlan id.

On your switch either make the physical port conneecting to the ASA a trunk port or.......have it as a normal switch port in the inside VLAN, then if your switch supports it use the AUX vlan for your DMZ.

HTH>

Re: Access to inside network from second vlan

michael.m.williams — Fri, 27 Feb 2009 17:54:00 GMT

No VLAN 100 does not have to access outside interface, just talk to server on inside VLAN.

I have configured everything for nat exemption and added no forward command to outside interface. (vlan 2). I went ahead and confiured two test laptops on in vlan 71 (inside) 10.71.180.135 and one in VLAN 100, 10.100.10.114. To check connectivity I pinged from inside ip to VLAN 100 on the ASA CLI and I am good, but can't ping from 10.100.10.114 ip to computer on inside interface or ping inside interface.

Thanks for your help.

Mike

Re: Access to inside network from second vlan

andrew.prince — Fri, 27 Feb 2009 19:07:32 GMT

OK - firstly you have a config error:-

access-list allow-server extended permit ip host 10.100.10.114 host 10.71.100.135

should read:-

access-list allow-server extended permit ip host 10.100.10.114 host 10.71.180.135

secondly have you configured the default gateway on the laptops to the correct ASA interface IP address ?

post the output of

"show access-list allow-server"

Re: Access to inside network from second vlan

michael.m.williams — Fri, 27 Feb 2009 19:22:59 GMT

Config error corrected. Thanks for that. I can't change the default gateway for VLAN 100 because this is an existing network that has other servers on it. 10.100.100.1 provides services to the computers within that network and also needs to communicate with server within VLAN 71 (PCI network). The inside laptop is set up as DHCP and has the correct DFG.

Yes i can ping the 10.71.180.135 when i change the default gateway 10.100.10.114 to 10.100.10.120. If there another way to reach the inside network from VLAN 100 without changing default gateway?

Mike

Re: Access to inside network from second vlan

andrew.prince — Fri, 27 Feb 2009 21:45:36 GMT

I am confused - are you saying that you have a different DG in the VLAN100 subnet?

Then the solution will be to configure a static route in the server that points the 10.71.180.0/24 or 10.71.180.135 host in it's routing table pointing towards the ASA.

HTH>